Tenda RP3 Pro Firmware Update Hard-Coded Password Vulnerability in Upgrade Handler

A vulnerability exists in the Tenda RP3 Pro router, affecting firmware versions prior to 22.5.7.93. The issue lies in the firmware update process, specifically within the 'force_upgrade.sh' script, which handles firmware updates. The vulnerability involves hard-coded authentication information that can be exploited by manipulating the 'current_force_upgrade_pwd' argument. This exploitation allows bypassing authentication verification, potentially leading to unauthorized firmware upgrades. The vulnerability can be exploited locally, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for arbitrary code execution or denial-of-service conditions by uploading a malicious firmware image that exploits the authentication bypass.

Reproduction

To reproduce this vulnerability, access the Tenda RP3 Pro router with a firmware version prior to 22.5.7.93. During the firmware update process, manipulate the 'current_force_upgrade_pwd' argument to exploit the hard-coded password vulnerability. This can be done by offsetting 20 bytes to obtain the 'force_upgrade_pwd' from 'force_upgrade_info', and then comparing it with the 'current_force_upgrade_pwd' to bypass authentication verification.